Security Alert: WordPress Timthumb Hacker on the Prowl

As most WordPress bloggers and site owners and administrators will already be aware, the TimThumb script that is popularly used for resizing images to create thumbnails for WordPress themes and plugins has a security vulnerability that allows hackers an easy ride into websites.

The vulnerability was made public at the beginning of August and was patched almost as soon as it was announced. However, I’ve noticed a increasing number of crawls of sites I manage by scripts looking for themes and plugins that use timthumb.php. These crawls produce 404 error reports in both the plugins SEO Ultimate and Redirection because the files the bot’s hunting for do not exist on my servers. In every case, the crawler scanned the directory /wp-content/themes/ and /wp-content/plugins.

10th Nov. 2011: Please see Bootnote for the best solution.

Scanned Themes and Directories

It looks like the bots are aimlessly scanning for any theme or plugin that might contain timthumb.php (or its alias, thumb.php).

IP’s To Block

Place the following Apache directive into the .htaccess file in your server’s root directory. It tells your server to deny requests emanating from the stated IP addresses (updated 20th Oct. 2011):

order allow,deny
deny from 107.20.5.217
deny from 108.60.0.1
deny from 109.74.205.87
deny from 113.192.25.251
deny from 119.235.18.7
deny from 122.201.81.10
deny from 132.216.12.109
deny from 157.100.150.150
deny from 173.231.43.98
deny from 173.236.12.155
deny from 173.236.194.65
deny from 173.236.210.19
deny from 173.236.26.2
deny from 173.236.31.34
deny from 173.236.58.146
deny from 173.247.251.145
deny from 173.247.253.234
deny from 173.247.255.106
deny from 173.255.215.156
deny from 174.120.224.230
deny from 174.121.22.98
deny from 174.37.148.250
deny from 178.18.89.103
deny from 180.92.161.2
deny from 184.107.163.186
deny from 184.154.106.34
deny from 184.154.109.10
deny from 184.154.12.138
deny from 184.154.88.234
deny from 184.170.146.10
deny from 184.170.146.12
deny from 187.45.205.144
deny from 188.138.101.216
deny from 188.138.113.14
deny from 188.165.197.177
deny from 189.1.162.125
deny from 189.59.8.23
deny from 192.217.104.152
deny from 195.19.173.244
deny from 195.190.28.97
deny from 195.198.236.62
deny from 195.34.173.153
deny from 200.85.152.29
deny from 203.170.85.123
deny from 203.71.2.73
deny from 204.152.255.10
deny from 204.152.255.23
deny from 204.152.255.5
deny from 204.232.242.215
deny from 204.93.165.124
deny from 206.174.209.32
deny from 206.188.208.194
deny from 208.116.44.250
deny from 208.43.95.131
deny from 208.65.200.160
deny from 208.82.116.113
deny from 208.92.165.10
deny from 209.217.76.244
deny from 209.90.115.252
deny from 210.143.110.58
deny from 212.100.249.178
deny from 212.124.121.206
deny from 212.227.52.169
deny from 212.90.148.43
deny from 212.97.132.142
deny from 213.203.199.227
deny from 216.157.21.223
deny from 216.172.163.58
deny from 216.227.215.130
deny from 216.228.195.2
deny from 216.67.248.51
deny from 217.146.86.201
deny from 219.94.163.214
deny from 27.50.118.53
deny from 46.105.99.176
deny from 46.163.118.14
deny from 46.182.105.98
deny from 46.4.26.81
deny from 50.18.112.172
deny from 50.23.215.156
deny from 62.193.235.191
deny from 62.210.185.4
deny from 64.118.88.213
deny from 64.151.202.1
deny from 64.50.161.65
deny from 64.50.172.176
deny from 64.57.252.67
deny from 65.98.89.106
deny from 66.103.128.12
deny from 66.90.104.180
deny from 67.192.48.157
deny from 67.205.67.105
deny from 67.205.96.182
deny from 67.210.96.112
deny from 67.212.80.5
deny from 67.214.213.94
deny from 68.179.32.90
deny from 69.163.186.200
deny from 69.167.135.119
deny from 69.174.53.88
deny from 69.20.9.79
deny from 69.25.109.177
deny from 69.50.193.168
deny from 69.64.69.113
deny from 69.73.154.97
deny from 70.33.254.92
deny from 70.86.16.74
deny from 71.8.242.4
deny from 72.232.240.70
deny from 72.32.11.21
deny from 72.51.46.77
deny from 74.208.144.19
deny from 74.209.214.7
deny from 74.63.243.194
deny from 74.63.243.194
deny from 75.146.178.52
deny from 76.100.161.249
deny from 77.221.130.44
deny from 77.232.91.201
deny from 78.111.81.242
deny from 78.129.226.96
deny from 78.136.29.89
deny from 79.170.192.52
deny from 79.200.4.226
deny from 80.86.184.50
deny from 80.90.198.194
deny from 81.169.142.131
deny from 81.169.167.190
deny from 81.196.196.141
deny from 81.30.152.53
deny from 81.30.65.78
deny from 82.165.154.71
deny from 82.206.126.166
deny from 82.25.208.111
deny from 82.79.171.134
deny from 83.103.119.239
deny from 83.246.67.55
deny from 83.255.89.137
deny from 85.17.182.195
deny from 85.214.115.197
deny from 85.214.137.104
deny from 86.111.247.16
deny from 87.237.213.212
deny from 87.98.254.234
deny from 88.151.241.51
deny from 88.151.241.51
deny from 88.151.65.162
deny from 88.198.144.210
deny from 88.208.234.133
deny from 88.212.146.235
deny from 89.145.121.100
deny from 89.145.121.101
deny from 89.149.202.94
deny from 89.161.143.111
deny from 89.174.234.147
deny from 89.234.3.28
deny from 91.121.14.107
deny from 91.121.151.69
deny from 91.121.175.169
deny from 91.121.184.160
deny from 91.212.12.60
deny from 91.217.56.93
deny from 91.217.56.93
deny from 92.243.8.135
deny from 93.114.41.80
deny from 94.136.92.101
deny from 94.198.160.91
deny from 94.229.76.221
deny from 94.229.79.69
deny from 94.23.209.161
deny from 94.23.215.208
deny from 94.23.6.59
deny from 94.236.125.213
deny from 95.131.66.39
allow from all

The following IP addresses have been removed from the above list in response to host and webmaster replies to my alerting them that their servers have been hacked.

deny from 69.175.60.114

Security Recommendations

Delete any themes and plugins that you no longer use and keep WordPress, all installed themes and all installed plugins up-to-date.

There is a plugin available to scan your WordPress wp-content directory for unpatched versions of TimThumb. Grab it from wordpress.org.

Block public access to timthumb.php (and thumb.php) with an .htaccess FilesMatch directive. Copy and paste this line into your topmost .htaccess file:

<FilesMatch "^(wp-config\.php|install\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php|\.htaccess|readme\.txt|timthumb\.php|thumb\.php|error_log|error\.log)">
Deny from all
</FilesMatch>

The caret, ^, tells Apache to look for requests to view files that “start with…”, the parentheses, (), tell Apache to expect a list of files in the directive, the backslash before every full-stop tells Apache to treat the full-stop as a literal character (as opposed to a representation of any character), and the pipe, |, is used to separate list items with an “OR” preposition.

Using the above snippet in .htaccess will prevent anyone but Apache (and anyone running as the Apache user/usergroup) from viewing any of the stated files. This means bots can’t view them, surfers can’t use them and you may only view them while logged into your server and using its own file browser or an FTP program.

Once added, you will notice that most attempts to find timthumb.php will cease after the first occurrence because of the “You do not have permission to view this file” or “Forbidden” message that Apache displays.

Bootnote

I found a better solution to blocking IP addresses and bad hosts.

.htaccess rewrite rules can be used to block many RFI, XSS and SQL Injection attacks.

What Next?

When possible, I contact website owners and their hosts (if the site owner fails to respond) to alert them to malicious scripts on their servers. Maybe you could do similar to help free the Net of malicious bots.

If do think you’ve been hacked then you should backup and download your wp-content directory, any files and directories you’ve created, and your database before deleting everything and re-installing WordPress. A good guide to this is found at WP Service Masters.

As well as installing files on hacked servers, the hackers have been adding code to timthumb.php, wp-config.php, .htaccess, other WordPress core files, the index.php file of different themes… hence my recommendation to reinstall WordPress or, at minimum, its core files (via an update), all themes and all plugins.

There is another option to reinstalling everything. Use the free site scanner provided by Sucuri. It’ll give you an idea of where any malicious scripts reside (that is my affiliate link).

Jeff, I’m glad I helped. I update the block list daily so keep watch for new IPs being added.

Scan the contents of scripts on the server for known malicious code (I use Securi to monitor specific domains), reinstall applications then check modification timestamps of all files and manually read any file with an older timestamp than the freshly installed ones because older ones might not be files you put there. Also check for suspicious processes and traffic. A good list of network monitoring tools can be found at http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html#flow. pktstat shows the contents of GET and POST requests, Wireshark will do that and much, much more. pkstat is a command line program, Wireshark is graphical. Here’s an affiliate… Read more »

Vote Up0Vote Down Reply

7 years ago

Akyana

I watched someone from one of those IPs today scanning OS commerce for Login files.

I don’t see many bad IPs now that I’ve renamed the wp-content directory and used .htaccess directives to lock down wp-login.php, wp-register.php and wp-signup.php. Highly recommended actions but back up first.

Vote Up0Vote Down Reply

7 years ago

Daniël Mostertman

You can remove the 194.109.22.71 entry. It was one of our Shared Webhosting customers, and it’s cleaned up (a long time ago already).

Thank you for keeping me up to date. I’ve removed it. Please let me know if you notice any others that need to be removed.

Vote Up0Vote Down Reply

7 years ago

Daniël Mostertman

Thanks :) Just wondering, is it necessary to be able to access timthumb.php directly? Or could we just redirect all timthumb.php requests to a 404 page? It’s kind of a unique name so it shouldn’t do much harm in that case (when disabling it server-wide).

You’re welcome. I need to update the post. The timthumb exploit no longer exists in the current version of Timthumb. If you’re worried that you are using an old version of Timthumb then just replace it with the latest version from http://code.google.com/p/timthumb/